Python
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any Python product.
RSS Feeds for Python security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in Python products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by Python Sorted by Most Security Vulnerabilities since 2018
By the Year
In 2026 there have been 21 vulnerabilities in Python with an average score of 5.8 out of ten. Last year, in 2025 Python had 16 security vulnerabilities published. That is, 5 more vulnerabilities have already been reported in 2026 as compared to last year. Last year, the average CVE base score was greater by 0.94
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 21 | 5.80 |
| 2025 | 16 | 6.74 |
| 2024 | 16 | 6.58 |
| 2023 | 18 | 6.40 |
| 2022 | 22 | 7.57 |
| 2021 | 28 | 7.45 |
| 2020 | 24 | 8.06 |
| 2019 | 26 | 7.65 |
| 2018 | 11 | 7.18 |
It may take a day or so for new Python vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Python Security Vulnerabilities
| CVE | Date | Vulnerability | Products |
|---|---|---|---|
| CVE-2026-3087 | Apr 27, 2026 |
CPython shutil.unpack_archive ZIP Path Traversal on WindowsIf `shutil.unpack_archive()` is given a ZIP archive with an absolute Windows path containing a drive (`C:\\...`) then the archive will be extracted outside the target directory which is different than other operating systems. Only Windows is affected by this vulnerability. |
Cpython
|
| CVE-2026-6357 | Apr 27, 2026 |
pip Self-update Import Vulnerability Prior to 26.1pip prior to version 26.1 would run self-update check functionality after installing wheel files which required importing well-known Python modules names. These module imports were intentionally deferred to increase startup time of the pip CLI. The patch changes self-update functionality to run before wheels are installed to prevent newly-installed modules from being imported shortly after the installation of a wheel package. Users should still review package contents prior to installation. |
Pip
|
| CVE-2026-6019 | Apr 22, 2026 |
Python CPython <3.15.0 Morsel.js_output XSS via <script>http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes " for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value. |
Python
|
| CVE-2026-3298 | Apr 21, 2026 |
Python 3.11-3.14 OOB Buffer Write in ProactorEventLoop (WS)The method "sock_recvfrom_into()" of "asyncio.ProacterEventLoop" (Windows only) was missing a boundary check for the data buffer when using nbytes parameter. This allowed for an out-of-bounds buffer write if data was larger than the buffer size. Non-Windows platforms are not affected. |
Python
|
| CVE-2026-3219 | Apr 20, 2026 |
pip: Misidentified tar·ZIP archives can install wrong filespip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file. This behavior could result in confusing installation behavior, such as installing "incorrect" files according to the filename of the archive. New behavior only proceeds with installation if the file identifies uniquely as a ZIP or tar archive, not as both. |
Pip
|
| CVE-2026-5713 | Apr 14, 2026 |
Privileged Memory Access via Profiling.Sampling/Asyncio Introspection in CPython <3.15The "profiling.sampling" module (Python 3.15+) and "asyncio introspection capabilities" (3.14+, "python -m asyncio ps" and "python -m asyncio pstree") features could be used to read and write addresses in a privileged process if that process connected to a malicious or "infected" Python process via the remote debugging feature. This vulnerability requires persistently and repeatedly connecting to the process to be exploited, even after the connecting process crashes with high likelihood due to ASLR. |
Python
|
| CVE-2026-4786 | Apr 13, 2026 |
Python CPython "webbrowser.open" "%action" URL injection (CVE-2026-4786)Mitgation of CVE-2026-4519 was incomplete. If the URL contained "%action" the mitigation could be bypassed for certain browser types the "webbrowser.open()" API could have commands injected into the underlying shell. See CVE-2026-4519 for details. |
Python
|
| CVE-2026-6100 | Apr 13, 2026 |
UAF in CPython lzma/BZ2/gzip Decompressors before v3.15.0Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when a memory allocation fails with a `MemoryError` and the decompression instance is re-used. This scenario can be triggered if the process is under memory pressure. The fix cleans up the dangling pointer in this specific error condition. The vulnerability is only present if the program re-uses decompressor instances across multiple decompression calls even after a `MemoryError` is raised during decompression. Using the helper functions to one-shot decompress data such as `lzma.decompress()`, `bz2.decompress()`, `gzip.decompress()`, and `zlib.decompress()` are not affected as a new decompressor instance is used per call. If the decompressor instance is not re-used after an error condition, this usage is similarly not vulnerable. |
Cpython
|
| CVE-2026-1502 | Apr 10, 2026 |
Python http.client CRLF injection via proxy tunnel headers (before 3.15)CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host. |
Python
|
| CVE-2026-4519 | Mar 20, 2026 |
CPython webbrowser.open() Leading-Dash URL Injection in 3.15The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open(). |
Cpython
|
| CVE-2026-3479 | Mar 18, 2026 |
CPython pkgutil.get_data Path Traversal (before 3.15.0)DISPUTED: The project has clarified that the documentation was incorrect, and that pkgutil.get_data() has the same security model as open(). The documentation has been updated to clarify this point. There is no vulnerability in the function if following the intended security model. pkgutil.get_data() did not validate the resource argument as documented, allowing path traversals. |
Cpython
|
| CVE-2026-4224 | Mar 16, 2026 |
C stack overflow in Expat ElementDeclHandler (CPython <3.15)When an Expat parser with a registered ElementDeclHandler parses an inline document type definition containing a deeply nested content model a C stack overflow occurs. |
Cpython
|
| CVE-2026-3644 | Mar 16, 2026 |
CPython 3.14: http.cookies.Morsel control char bypass (CVE-2026-3644)The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output(). |
Cpython
|
| CVE-2025-13462 | Mar 12, 2026 |
CVE-2025-13462: Path Normalization Bypass in CPython tarfile before 3.15The "tarfile" module would still apply normalization of AREGTYPE (\x00) blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPE_LONGNAME or GNUTYPE_LONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to other implementations. |
Cpython
|
| CVE-2026-2297 | Mar 04, 2026 |
Audit Event Bypass in CPython FileLoader before 3.15.0The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. sys.audit handlers for this audit event therefore do not fire. |
Cpython
|
| CVE-2026-25990 | Feb 11, 2026 |
Pillow 10.312.1.1: OOB Write PSD Image Load (Fixed 12.1.1)Pillow is a Python imaging library. From 10.3.0 to before 12.1.1, n out-of-bounds write may be triggered when loading a specially crafted PSD image. This vulnerability is fixed in 12.1.1. |
Pillow
|
| CVE-2026-1703 | Feb 02, 2026 |
Python Pip Wheel Extraction Path Traversal (CVE-2026-1703)When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to inject or overwrite executable files in typical situations. |
Pip
|
| CVE-2026-0994 | Jan 23, 2026 |
DoS via max_recursion_depth Bypass in google.protobuf.json_format.ParseDict()A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages. Due to missing recursion depth accounting inside the internal Any-handling logic, an attacker can supply deeply nested Any structures that bypass the intended recursion limit, eventually exhausting Pythons recursion stack and causing a RecursionError. |
|
| CVE-2026-24049 | Jan 22, 2026 |
wheel 0.40.00.46.1: Permission Bypass via malicious wheel, PrivEscwheel is a command line tool for manipulating Python wheel files, as defined in PEP 427. In versions 0.40.0 through 0.46.1, the unpack function is vulnerable to file permission modification through mishandling of file permissions after extraction. The logic blindly trusts the filename from the archive header for the chmod operation, even though the extraction process itself might have sanitized the path. Attackers can craft a malicious wheel file that, when unpacked, changes the permissions of critical system files (e.g., /etc/passwd, SSH keys, config files), allowing for Privilege Escalation or arbitrary code execution by modifying now-writable scripts. This issue has been fixed in version 0.46.2. |
|
| CVE-2025-12781 | Jan 21, 2026 |
Python CPython base64 altchars misuse in 3.13-3.15When passing data to the b64decode(), standard_b64decode(), and urlsafe_b64decode() functions in the "base64" module the characters "+/" will always be accepted, regardless of the value of "altchars" parameter, typically used to establish an "alternative base64 alphabet" such as the URL safe alphabet. This behavior matches what is recommended in earlier base64 RFCs, but newer RFCs now recommend either dropping characters outside the specified base64 alphabet or raising an error. The old behavior has the possibility of causing data integrity issues. This behavior can only be insecure if your application uses an alternate base64 alphabet (without "+/"). If your application does not use the "altchars" parameter or the urlsafe_b64decode() function, then your application does not use an alternative base64 alphabet. The attached patches DOES NOT make the base64-decode behavior raise an error, as this would be a change in behavior and break existing programs. Instead, the patch deprecates the behavior which will be replaced with the newly recommended behavior in a future version of Python. Users are recommended to mitigate by verifying user-controlled inputs match the base64 alphabet they are expecting or verify that their application would not be affected if the b64decode() functions accepted "+" or "/" outside of altchars. |
Cpython
|
| CVE-2026-22702 | Jan 10, 2026 |
virtualenv Before 20.36.1: TOCTOU Symlink Race Enables Local Path Traversalvirtualenv is a tool for creating isolated virtual python environments. Prior to version 20.36.1, TOCTOU (Time-of-Check-Time-of-Use) vulnerabilities in virtualenv allow local attackers to perform symlink-based attacks on directory creation operations. An attacker with local access can exploit a race condition between directory existence checks and creation to redirect virtualenv's app_data and lock file operations to attacker-controlled locations. This issue has been patched in version 20.36.1. |
|
| CVE-2025-12084 | Dec 03, 2025 |
Python XML DOM minidom quadratic appendChild CVE-2025-12084When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm is quadratic. Availability can be impacted when building excessively nested documents. |
Python
|
| CVE-2025-13837 | Dec 01, 2025 |
Python plistlib OOM DoS via malicious plistWhen loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues |
Python
|
| CVE-2025-8291 | Oct 07, 2025 |
Python zipfile ZIP64 EOCD Locator offset validation flawThe 'zipfile' module would not check the validity of the ZIP64 End of Central Directory (EOCD) Locator record offset value would not be used to locate the ZIP64 EOCD record, instead the ZIP64 EOCD record would be assumed to be the previous record in the ZIP archive. This could be abused to create ZIP archives that are handled differently by the 'zipfile' module compared to other ZIP implementations. Remediation maintains this behavior, but checks that the offset specified in the ZIP64 EOCD Locator record matches the expected value. |
Python
|
| CVE-2025-8869 | Sep 24, 2025 |
pip TAR Extraction Vulnerability: Symbolic Links without PEP706When extracting a tar archive pip may not check symbolic links point into the extraction directory if the tarfile module doesn't implement PEP 706. Note that upgrading pip to a "fixed" version for this vulnerability doesn't fix all known vulnerabilities that are remediated by using a Python version that implements PEP 706. Note that this is a vulnerability in pip's fallback implementation of tar extraction for Python versions that don't implement PEP 706 and therefore are not secure to all vulnerabilities in the Python 'tarfile' module. If you're using a Python version that implements PEP 706 then pip doesn't use the "vulnerable" fallback code. Mitigations include upgrading to a version of pip that includes the fix, upgrading to a Python version that implements PEP 706 (Python >=3.9.17, >=3.10.12, >=3.11.4, or >=3.12), applying the linked patch, or inspecting source distributions (sdists) before installation as is already a best-practice. |
Pip
|
| CVE-2025-8194 | Jul 28, 2025 |
cPython TarFile Infinite Loop via Negative OffsetThere is a defect in the CPython tarfile module affecting the TarFile extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives. This vulnerability can be mitigated by including the following patch after importing the tarfile module: https://gist.github.com/sethmlarson/1716ac5b82b73dbcbf23ad2eff8b33e1 |
Python
|
| CVE-2025-50182 | Jun 19, 2025 |
urllib3 v2.2.0-2.5.0 redirect control flaw in Pyodide browser runtimesurllib3 is a user-friendly HTTP client library for Python. Starting in version 2.2.0 and prior to 2.5.0, urllib3 does not control redirects in browsers and Node.js. urllib3 supports being used in a Pyodide runtime utilizing the JavaScript Fetch API or falling back on XMLHttpRequest. This means Python libraries can be used to make HTTP requests from a browser or Node.js. Additionally, urllib3 provides a mechanism to control redirects, but the retries and redirect parameters are ignored with Pyodide; the runtime itself determines redirect behavior. This issue has been patched in version 2.5.0. |
Urllib3
|
| CVE-2025-6069 | Jun 17, 2025 |
Python HTMLParser Quadratic Complexity DoS VulnerabilityThe html.parser.HTMLParser class had worse-case quadratic complexity when processing certain crafted malformed inputs potentially leading to amplified denial-of-service. |
Python
|
| CVE-2024-47081 | Jun 09, 2025 |
Requests before 2.32.4 leaks .netrc credentials via URL parsingRequests is a HTTP library. Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs. Users should upgrade to version 2.32.4 to receive a fix. For older versions of Requests, use of the .netrc file can be disabled with `trust_env=False` on one's Requests Session. |
Requests
|
| CVE-2025-4138 | Jun 03, 2025 |
Python 3.14+ tarfile extraction filter bypass (symlink outside dir)Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file metadata. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of "data" or "tar". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter for more information. Note that for Python 3.14 or later the default value of filter= changed from "no filtering" to `"data", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links. |
Python
|
| CVE-2025-4330 | Jun 03, 2025 |
Python 3.14+ tarfile Filter Bypass for Symlink ExtractionAllows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file metadata. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of "data" or "tar". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter for more information. Note that for Python 3.14 or later the default value of filter= changed from "no filtering" to `"data", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links. |
Python
|
| CVE-2025-4517 | Jun 03, 2025 |
Python tarfile Arbitrary FS Write via filter='data' (pre-3.14) CVE-2025-4517Allows arbitrary filesystem writes outside the extraction directory during extraction with filter="data". You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of "data" or "tar". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter for more information. Note that for Python 3.14 or later the default value of filter= changed from "no filtering" to `"data", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links. |
Python
|
| CVE-2024-12718 | Jun 03, 2025 |
Python 3.12+ Tarfile Filter CVE-2024-12718: External Metadata ModificationAllows modifying some file metadata (e.g. last modified) with filter="data" or file permissions (chmod) with filter="tar" of files outside the extraction directory. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of "data" or "tar". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter for more information. Only Python versions 3.12 or later are affected by these vulnerabilities, earlier versions don't include the extraction filter feature. Note that for Python 3.14 or later the default value of filter= changed from "no filtering" to `"data", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links. |
Python
|
| CVE-2025-47273 | May 17, 2025 |
setuptools <78.1.1 Path Traversal via PackageIndex allows file writesetuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal vulnerability in `PackageIndex` is present in setuptools prior to version 78.1.1. An attacker would be allowed to write files to arbitrary locations on the filesystem with the permissions of the process running the Python code, which could escalate to remote code execution depending on the context. Version 78.1.1 fixes the issue. |
Setuptools
|
| CVE-2024-3220 | Feb 14, 2025 |
Python CPython Mimetypes MemoryError on Startup via Writable File Locs WindowsThere is a defect in the CPython standard library module mimetypes where on Windows the default list of known file locations are writable meaning other users can create invalid files to cause MemoryError to be raised on Python runtime startup or have file extensions be interpreted as the incorrect file type. This defect is caused by the default locations of Linux and macOS platforms (such as /etc/mime.types) also being used on Windows, where they are user-writable locations (C:\etc\mime.types). To work-around this issue a user can call mimetypes.init() with an empty list ([]) on Windows platforms to avoid using the default list of known file locations. |
Python
|
| CVE-2024-57956 | Feb 06, 2025 |
Out-of-Bounds Read in Python's String Interpreter ModuleOut-of-bounds read vulnerability in the interpreter string module Impact: Successful exploitation of this vulnerability may affect availability. |
Python
|
| CVE-2025-0938 | Jan 31, 2025 |
Python urllib.parse: Invalid Square Bracket URL Parsing IssueThe Python standard library functions `urllib.parse.urlsplit` and `urlparse` accepted domain names that included square brackets which isn't valid according to RFC 3986. Square brackets are only meant to be used as delimiters for specifying IPv6 and IPvFuture hosts in URLs. This could result in differential parsing across the Python URL parser and other specification-compliant URL parsers. |
Python
|
| CVE-2024-12254 | Dec 06, 2024 |
Python 3.12+ Asyncio._SelectorSocketTransport Memory Exhaustion via writelines()Starting in Python 3.12.0, the asyncio._SelectorSocketTransport.writelines() method would not "pause" writing and signal to the Protocol to drain the buffer to the wire once the write buffer reached the "high-water mark". Because of this, Protocols would not periodically drain the write buffer potentially leading to memory exhaustion. This vulnerability likely impacts a small number of users, you must be using Python 3.12.0 or later, on macOS or Linux, using the asyncio module with protocols, and using .writelines() method which had new zero-copy-on-write behavior in Python 3.12.0 and later. If not all of these factors are true then your usage of Python is unaffected. |
Python
|
| CVE-2024-52304 | Nov 18, 2024 |
aiohttp <3.10.11 Request Smuggling via Incorrect Chunk Extension Parsingaiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.10.11, the Python parser parses newlines in chunk extensions incorrectly which can lead to request smuggling vulnerabilities under certain conditions. If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or `AIOHTTP_NO_EXTENSIONS` is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. Version 3.10.11 fixes the issue. |
Aiohttp
|
| CVE-2024-11168 | Nov 12, 2024 |
Python urllib.parse SSRF Vulnerability via Improper Host ValidationThe urllib.parse.urlsplit() and urlparse() functions improperly validated bracketed hosts (`[]`), allowing hosts that weren't IPv6 or IPvFuture. This behavior was not conformant to RFC 3986 and potentially enabled SSRF if a URL is processed by more than one URL parser. |
Python
|
| CVE-2024-9287 | Oct 22, 2024 |
CVE-2024-9287: CPython venv CLI Command Injection via Unquoted PathsA vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment "activation" scripts (ie "source venv/bin/activate"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie "./venv/bin/python") are not affected. |
Python
Cpython
|
| CVE-2024-6232 | Sep 03, 2024 |
CPython ReDoS via Regex in tarfile Header ParsingThere is a MEDIUM severity vulnerability affecting CPython. Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives. |
Python
Cpython
|
| CVE-2024-7592 | Aug 19, 2024 |
CPython http.cookies Quadratic Complexity CPU Exhaustion (CVE20247592)There is a LOW severity vulnerability affecting CPython, specifically the 'http.cookies' standard library module. When parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm with quadratic complexity, resulting in excess CPU resources being used while parsing the value. |
Python
Cpython
|
| CVE-2024-6923 | Aug 01, 2024 |
CPython Email Module Header Injection via Improper Newline QuotingThere is a MEDIUM severity vulnerability affecting CPython. The email module didnt properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized. |
Cpython
|
| CVE-2024-3219 | Jul 29, 2024 |
CPython SocketModule AF_INET socketpair race (Win), 3.5+The socket module provides a pure-Python fallback to the socket.socketpair() function for platforms that dont support AF_UNIX, such as Windows. This pure-Python implementation uses AF_INET or AF_INET6 to create a local connected pair of sockets. The connection between the two sockets was not verified before passing the two sockets back to the user, which leaves the server socket vulnerable to a connection race from a malicious local peer. Platforms that support AF_UNIX such as Linux and macOS are not affected by this vulnerability. Versions prior to CPython 3.5 are not affected due to the vulnerable API not being included. |
Python
|
| CVE-2024-6345 | Jul 15, 2024 |
setuptools <=69.1.1 RCE via download URL injectionA vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0. |
Setuptools
|
| CVE-2024-5642 | Jun 27, 2024 |
CPython 3.9+ SSLContext.set_npn_protocols Empty List Buffer Over-ReadCPython 3.9 and earlier doesn't disallow configuring an empty list ("[]") for SSLContext.set_npn_protocols() which is an invalid value for the underlying OpenSSL API. This results in a buffer over-read when NPN is used (see CVE-2024-5535 for OpenSSL). This vulnerability is of low severity due to NPN being not widely used and specifying an empty list likely being uncommon in-practice (typically a protocol name would be configured). |
Python
|
| CVE-2024-4032 | Jun 17, 2024 |
Python ipaddress CVE-2024-4032 incorrect is_private/is_global until v3.12.4The ipaddress module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as globally reachable or private. This affected the is_private and is_global properties of the ipaddress.IPv4Address, ipaddress.IPv4Network, ipaddress.IPv6Address, and ipaddress.IPv6Network classes, where values wouldnt be returned in accordance with the latest information from the IANA Special-Purpose Address Registries. CPython 3.12.4 and 3.13.0a6 contain updated information from these registries and thus have the intended behavior. |
Python
Cpython
|
| CVE-2024-35195 | May 20, 2024 |
Requests <2.32: Session cert verify bypass persistsRequests is a HTTP library. Prior to 2.32.0, when making requests through a Requests `Session`, if the first request is made with `verify=False` to disable cert verification, all subsequent requests to the same host will continue to ignore cert verification regardless of changes to the value of `verify`. This behavior will continue for the lifecycle of the connection in the connection pool. This vulnerability is fixed in 2.32.0. |
Requests
|
| CVE-2024-4030 | May 07, 2024 |
Python tempfile.mkdtemp() Improper Permission Handling on WindowsOn Windows a directory returned by tempfile.mkdtemp() would not always have permissions set to restrict reading and writing to the temporary directory by other users, instead usually inheriting the correct permissions from the default location. Alternate configurations or users without a profile directory may not have the intended permissions. If youre not using Windows or havent changed the temporary directory location then you arent affected by this vulnerability. On other platforms the returned directory is consistently readable and writable only by the current user. This issue was caused by Python not supporting Unix permissions on Windows. The fix adds support for Unix 700 for the mkdir function on Windows which is used by mkdtemp() to ensure the newly created directory has the proper permissions. |
Python
|